HTTP Response Splitting

The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack.  Hackers are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user defacement, positioning of client’s web-cache, hijacking of web pages, defacement and a myriad of other related attacks.  A number of years ago a number of CRLF injection vulnerabilities were also discovered in Google’s Adwords web interface.

A simple CRLF Injection example

Suppose you run a vulnerable website that has a language section. Sign in as admin and goto customize site language option and select English as language and intercept the request on proxy.


Use Burp to intercept the request.


This is CRLF payload(carriege return-line feed)

Add CRLF payload in lang parameter.

Now forward the request. It is observed that application gives two responses.

First response is actual response and second response is our CRLF payload response due to which javascript executes, XSS done

  This attack appears to simply executes the script on the browser however the danger is that YOUR server has generated this HTML code, so effectively the hacker has injected HTML code into the victims browser via YOUR web server! Ouch.  More sophisticated variations of this example can lead to poisioning of the client’s web-cache, cookies, XSS, temporary or permanent defacement of web pages and even information theft.

Comments

Post a Comment

Popular posts from this blog

Location.Hash exploit || JQuery 1.11.3/1.7.2/1.6.1 Cross Site Scripting

Image
This is the code for exploiting (location.hash) JQuery for Cross Site Scripting: <html>     <head>          <title>Jquery XSS Test 1</title>                 <script type="text/javascript"                                             src=" https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js ">                 </script>                 <script>                     $(location.hash.split('#')[1]);                 </script>    </head>      <body>         Jquery DOM XSS     </bo...
Read more

JQuery UI 1.11.4 Cross Site Scripting

Vulnerability name: XSS Reflected JQuery UI 1.11.4  I think nearly everyone gets shocked, when your Acunetix shows Cross Site Scripting in Jquery UI. But, may be many of you don’t know how to exploit it. So, here is a Code which will explain how to exploit vulnerabilities like these. Place the script on dialog function as shown in the Code below. <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head>     <title>XSS in closeText option of component ui dialog</title>     <script src="https://code.jquery.com/jquery-2.1.4.js"></script>     <script src="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script>       <script>         $(document).ready(function () {             $('#dialog').dialog({ closeText: ' <script>ale...
Read more

Yahoo Rolls Out Security Scanning Platform Gryffin: Here's What You Can Do With It

Image
Yahoo launches a new open-source project that will allow system administrators to perform URL scanning in order to find the presence of common security vulnerabilities and malicious web content. Dubbed " Project Gryffin ," it will initially launch in beta and will be under the BSD-style license, the type of license that Yahoo likes to use whenever it is launching open source projects. According to Yahoo, Gryffin is a large-scale Web security scanning platform designed to address two specific issues namely Coverage and Scale . Coverage is said to be made up of two dimensions. The first one, crawl, refers to having the ability to find as much of the application's footprint as possible. The second dimension, scan , refers to having the ability to test each application part based on applied set of vulnerabilities. Scale is obviously implied for large Web, while Coverage has two dimensions – Crawl and Fuzzing. Crawl's ability is to find as much...
Read more